Open Dental is medical dental records management software. Open Dental version 16.1, and previous versions, installs with a blank root database (MySQL) password by default.. An attacker with network access to an Open Dental MySQL database could read, modify, or delete data.
This Vulnerability Note initially, and incorrectly, stated that Open Dental used hard coded credentials. The Impact section also implied that in its default configuration, the Open Dental database was available over remote networks such as the internet. An Open Dental database would need to be specifically configured to allow remote network access.
Open Dental provided the following statements.
An attacker with network access to an Open Dental MySQL database could read, modify, or delete data. The attacker would most likely need local network access.
Update MySQL database credentials and enable further protections
Restrict network access
Thanks to Justin Shafer for reporting this vulnerability.
This document was written by Garret Wassermann.
|Date First Published:||2016-09-06|
|Date Last Updated:||2016-09-13 08:27 UTC|